ETSI QKD – The Little-Known Protocol with Big Security Implications

There’s no denying that 2019 saw a lot of traction on the quantum computing front. Microsoft and Amazon are building quantum offerings into their cloud services. Intel announced a quantum-controller. Google claims “quantum supremacy,” only to see IBM dispute that claim shortly thereafter. IBM announced that they had again doubled the “quantum volume” of their quantum computer. These achievements illustrate that the era of quantum computing is upon us, and so too is the concern that quantum computers will soon break the public key encryption on which most networks, including the Internet, rely on to secure data. In the shadows of these major milestones by the world’s foremost technology vendors, 2019 also saw a little-known protocol ratification that could have a big impact on quantum preparedness.

The ETSI QKD Standard

In February 2019 ESTI, the European Telecommunications Standards Institute, published the GS QKD 014 protocol for REST-based key delivery. This defined a REST API by which devices (such as encryptors) and applications can request keys from Quantum Key Distribution (QKD) systems. It’s important to note that while the acronym ETSI points to the group’s European and telecommunications origins, the protocols the group has created are used by organizations in all industries headquartered throughout the world.

QKD is seen as a strong defense against the quantum computing threat. The theoretically unbreakable technology uses quantum physics to ensure that keys cannot be intercepted during transmission from one place to another. If you can’t intercept the keys, then no amount of computing power will let you break them. QKD keys are sent over a separate network from the data. By facilitating out-of-band key distribution, the ETSI QKD (EQKD)rotocol ensures that an attacker cannot simply harvest data from a TLS/SSL session and then decrypt it later when a quantum computer is available (or otherwise find a way to break the public key encryption used by TLS/SSL). This immediately raises the bar for the attacker, while minimally impacting the existing encryption infrastructure.

Why it Matters

The EQKD standard makes it easier for the makers of encryption hardware and software to consume quantum-safe keys, because they have one protocol to work with, regardless of QKD vendor (Note: other key-distribution solutions are already using ETSI). In addition, the way that the protocol is implemented allows the encryption vendors to maintain their existing certifications (FIPS, Common Criteria, ANSSI, PCI, etc.) while making their products quantum-safe.

The EQKD protocol specification makes it simple for hardware/software vendors to deploy. For any device or application – Secure Application Entity (SAE) – that needs to share keys with a partner, they only need to know the name of the key provider – Key Management Entity (KME) – and the name and/or network address of the partner with whom they need to share a key. The KME takes care of the generation and distribution of the shared key to the partner. Because a KME does not have to be a QKD system, other quantum-safe key distribution solutions can be deployed. For example, ETSI facilitates the use of KME’s that support other key transmission technologies in cases where QKD is not a viable option. This can greatly expand the quantum-safe footprint for an organization.

Organizations need to start thinking about ways to provide quantum-safe key distribution in a timely manner. Quantum Xchange is proud to embrace the EQKD standard and we applaud our hardware partners for doing the same. We are committed to helping organizations deploy a crypto-agile infrastructure that offers quantum-safe key distribution today and eases the on-ramp to QKD-level security.


Sign Up for Updates from Quantum Xchange

Quantum Xchange does not share or rent your information to any third parties.